diff options
Diffstat (limited to 'providers/implementations/rands')
| -rw-r--r-- | providers/implementations/rands/build.info | 2 | ||||
| -rw-r--r-- | providers/implementations/rands/drbg.c | 40 | ||||
| -rw-r--r-- | providers/implementations/rands/drbg_ctr.c | 2 | ||||
| -rw-r--r-- | providers/implementations/rands/drbg_hash.c | 10 | ||||
| -rw-r--r-- | providers/implementations/rands/drbg_hmac.c | 10 | ||||
| -rw-r--r-- | providers/implementations/rands/drbg_local.h | 5 | ||||
| -rw-r--r-- | providers/implementations/rands/seed_src_jitter.c | 336 | ||||
| -rw-r--r-- | providers/implementations/rands/seeding/rand_vxworks.c | 3 | ||||
| -rw-r--r-- | providers/implementations/rands/test_rng.c | 10 |
9 files changed, 400 insertions, 18 deletions
diff --git a/providers/implementations/rands/build.info b/providers/implementations/rands/build.info index 8bcac43be7..70f8454193 100644 --- a/providers/implementations/rands/build.info +++ b/providers/implementations/rands/build.info @@ -3,4 +3,4 @@ SUBDIRS=seeding $RANDS_GOAL=../../libdefault.a ../../libfips.a SOURCE[$RANDS_GOAL]=drbg.c test_rng.c drbg_ctr.c drbg_hash.c drbg_hmac.c crngt.c -SOURCE[../../libdefault.a]=seed_src.c +SOURCE[../../libdefault.a]=seed_src.c seed_src_jitter.c diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index 253131b10d..c15c4606e6 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -428,7 +428,7 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, } #ifndef PROV_RAND_GET_RANDOM_NONCE else { /* parent == NULL */ - noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen, + noncelen = prov_drbg_get_nonce(drbg, &nonce, drbg->min_noncelen, drbg->max_noncelen); if (noncelen < drbg->min_noncelen || noncelen > drbg->max_noncelen) { @@ -935,7 +935,8 @@ int ossl_drbg_get_ctx_params(PROV_DRBG *drbg, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL); if (p != NULL && !OSSL_PARAM_set_time_t(p, drbg->reseed_time_interval)) return 0; - + if (!OSSL_FIPS_IND_GET_CTX_PARAM(drbg, params)) + return 0; return 1; } @@ -990,13 +991,13 @@ int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL); if (p != NULL && !OSSL_PARAM_get_time_t(p, &drbg->reseed_time_interval)) return 0; + return 1; } -/* Confirm digest is allowed to be used with a DRBG */ -int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md) -{ #ifdef FIPS_MODULE +static int digest_allowed(const EVP_MD *md) +{ /* FIPS 140-3 IG D.R limited DRBG digests to a specific set */ static const char *const allowed_digests[] = { "SHA1", /* SHA 1 allowed */ @@ -1005,18 +1006,35 @@ int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md) }; size_t i; - if (FIPS_restricted_drbg_digests_enabled(libctx)) { - for (i = 0; i < OSSL_NELEM(allowed_digests); i++) - if (EVP_MD_is_a(md, allowed_digests[i])) - return 1; - ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); - return 0; + for (i = 0; i < OSSL_NELEM(allowed_digests); i++) { + if (EVP_MD_is_a(md, allowed_digests[i])) + return 1; } + return 0; +} #endif + +/* Confirm digest is allowed to be used with a DRBG */ +int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx, + const EVP_MD *md) +{ +#ifdef FIPS_MODULE + int approved = digest_allowed(md); + + if (!approved) { + if (!OSSL_FIPS_IND_ON_UNAPPROVED(drbg, OSSL_FIPS_IND_SETTABLE0, + libctx, "DRBG", "Digest", + FIPS_restricted_drbg_digests_enabled)) { + ERR_raise(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED); + return 0; + } + } +#else /* FIPS_MODULE */ /* Outside of FIPS, any digests that are not XOF are allowed */ if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); return 0; } +#endif /* FIPS_MODULE */ return 1; } diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 0c4553ad58..abd0b1a1c8 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -625,6 +625,7 @@ static int drbg_ctr_new(PROV_DRBG *drbg) ctr->use_df = 1; drbg->data = ctr; + OSSL_FIPS_IND_INIT(drbg) return drbg_ctr_init_lengths(drbg); } @@ -697,6 +698,7 @@ static const OSSL_PARAM *drbg_ctr_gettable_ctx_params(ossl_unused void *vctx, OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0), OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL), OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, + OSSL_FIPS_IND_GETTABLE_CTX_PARAM() OSSL_PARAM_END }; return known_gettable_ctx_params; diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index bc401b72a2..458b356b82 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -424,6 +424,8 @@ static int drbg_hash_new(PROV_DRBG *ctx) if (hash == NULL) return 0; + OSSL_FIPS_IND_INIT(ctx) + ctx->data = hash; ctx->seedlen = HASH_PRNG_MAX_SEEDLEN; ctx->max_entropylen = DRBG_MAX_LENGTH; @@ -496,6 +498,7 @@ static const OSSL_PARAM *drbg_hash_gettable_ctx_params(ossl_unused void *vctx, static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, + OSSL_FIPS_IND_GETTABLE_CTX_PARAM() OSSL_PARAM_END }; return known_gettable_ctx_params; @@ -509,12 +512,16 @@ static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[] const EVP_MD *md; int md_size; + if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, + OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK)) + return 0; + if (!ossl_prov_digest_load_from_params(&hash->digest, params, libctx)) return 0; md = ossl_prov_digest_md(&hash->digest); if (md != NULL) { - if (!ossl_drbg_verify_digest(libctx, md)) + if (!ossl_drbg_verify_digest(ctx, libctx, md)) return 0; /* Error already raised for us */ /* These are taken from SP 800-90 10.1 Table 2 */ @@ -561,6 +568,7 @@ static const OSSL_PARAM *drbg_hash_settable_ctx_params(ossl_unused void *vctx, OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON, + OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) OSSL_PARAM_END }; return known_settable_ctx_params; diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c index 5ebbe52e61..43c75bf434 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c @@ -316,6 +316,8 @@ static int drbg_hmac_new(PROV_DRBG *drbg) if (hmac == NULL) return 0; + OSSL_FIPS_IND_INIT(drbg) + drbg->data = hmac; /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ drbg->max_entropylen = DRBG_MAX_LENGTH; @@ -399,6 +401,7 @@ static const OSSL_PARAM *drbg_hmac_gettable_ctx_params(ossl_unused void *vctx, OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), OSSL_PARAM_DRBG_GETTABLE_CTX_COMMON, + OSSL_FIPS_IND_GETTABLE_CTX_PARAM() OSSL_PARAM_END }; return known_gettable_ctx_params; @@ -412,11 +415,15 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[] const EVP_MD *md; int md_size; + if (!OSSL_FIPS_IND_SET_CTX_PARAM(ctx, OSSL_FIPS_IND_SETTABLE0, params, + OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK)) + return 0; + if (!ossl_prov_digest_load_from_params(&hmac->digest, params, libctx)) return 0; md = ossl_prov_digest_md(&hmac->digest); - if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) + if (md != NULL && !ossl_drbg_verify_digest(ctx, libctx, md)) return 0; /* Error already raised for us */ if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, @@ -465,6 +472,7 @@ static const OSSL_PARAM *drbg_hmac_settable_ctx_params(ossl_unused void *vctx, OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_DIGEST, NULL, 0), OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_MAC, NULL, 0), OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON, + OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) OSSL_PARAM_END }; return known_settable_ctx_params; diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index 902dfc937d..f8907a3193 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -18,6 +18,7 @@ # include "internal/nelem.h" # include "internal/numbers.h" # include "prov/provider_ctx.h" +# include "prov/fipsindicator.h" /* How many times to read the TSC as a randomness source. */ # define TSC_READ_COUNT 4 @@ -171,6 +172,8 @@ struct prov_drbg_st { OSSL_CALLBACK *cleanup_entropy_fn; OSSL_INOUT_CALLBACK *get_nonce_fn; OSSL_CALLBACK *cleanup_nonce_fn; + + OSSL_FIPS_IND_DECLARE }; PROV_DRBG *ossl_rand_drbg_new @@ -255,6 +258,6 @@ void ossl_crngt_cleanup_entropy(PROV_DRBG *drbg, unsigned char *out, size_t outlen); /* Confirm digest is allowed to be used with a DRBG */ -int ossl_drbg_verify_digest(ossl_unused OSSL_LIB_CTX *libctx, const EVP_MD *md); +int ossl_drbg_verify_digest(PROV_DRBG *drbg, OSSL_LIB_CTX *libctx, const EVP_MD *md); #endif diff --git a/providers/implementations/rands/seed_src_jitter.c b/providers/implementations/rands/seed_src_jitter.c new file mode 100644 index 0000000000..3dea0959d4 --- /dev/null +++ b/providers/implementations/rands/seed_src_jitter.c @@ -0,0 +1,336 @@ +/* + * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/rand.h> +#include <openssl/core_dispatch.h> +#include <openssl/e_os2.h> +#include <openssl/params.h> +#include <openssl/core_names.h> +#include <openssl/evp.h> +#include <openssl/err.h> +#include <openssl/randerr.h> +#include <openssl/proverr.h> +#include "prov/implementations.h" +#include "prov/provider_ctx.h" +#include "crypto/rand.h" +#include "crypto/rand_pool.h" + +#ifndef OPENSSL_NO_JITTER +# include <jitterentropy.h> + +# define JITTER_MAX_NUM_TRIES 3 + +static OSSL_FUNC_rand_newctx_fn jitter_new; +static OSSL_FUNC_rand_freectx_fn jitter_free; +static OSSL_FUNC_rand_instantiate_fn jitter_instantiate; +static OSSL_FUNC_rand_uninstantiate_fn jitter_uninstantiate; +static OSSL_FUNC_rand_generate_fn jitter_generate; +static OSSL_FUNC_rand_reseed_fn jitter_reseed; +static OSSL_FUNC_rand_gettable_ctx_params_fn jitter_gettable_ctx_params; +static OSSL_FUNC_rand_get_ctx_params_fn jitter_get_ctx_params; +static OSSL_FUNC_rand_verify_zeroization_fn jitter_verify_zeroization; +static OSSL_FUNC_rand_enable_locking_fn jitter_enable_locking; +static OSSL_FUNC_rand_lock_fn jitter_lock; +static OSSL_FUNC_rand_unlock_fn jitter_unlock; +static OSSL_FUNC_rand_get_seed_fn jitter_get_seed; +static OSSL_FUNC_rand_clear_seed_fn jitter_clear_seed; + +typedef struct { + void *provctx; + int state; +} PROV_JITTER; + +static size_t get_jitter_random_value(PROV_JITTER *s, unsigned char *buf, size_t len); + +/* + * Acquire entropy from jitterentropy library + * + * Returns the total entropy count, if it exceeds the requested + * entropy count. Otherwise, returns an entropy count of 0. + */ +static size_t ossl_prov_acquire_entropy_from_jitter(PROV_JITTER *s, + RAND_POOL *pool) +{ + size_t bytes_needed; + unsigned char *buffer; + + bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /* entropy_factor */); + if (bytes_needed > 0) { + buffer = ossl_rand_pool_add_begin(pool, bytes_needed); + + if (buffer != NULL) { + if (get_jitter_random_value(s, buffer, bytes_needed) == bytes_needed) { + ossl_rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); + } else { + ossl_rand_pool_add_end(pool, 0, 0); + } + } + } + + return ossl_rand_pool_entropy_available(pool); +} + +/* Obtain random bytes from the jitter library */ +static size_t get_jitter_random_value(PROV_JITTER *s, + unsigned char *buf, size_t len) +{ + struct rand_data *jitter_ec = NULL; + ssize_t result = 0; + size_t num_tries; + + /* Retry intermittent failures, then give up */ + for (num_tries = 0; num_tries < JITTER_MAX_NUM_TRIES; num_tries++) { + /* Allocate a fresh collector */ + jitter_ec = jent_entropy_collector_alloc(0, JENT_FORCE_FIPS); + if (jitter_ec == NULL) + continue; + + /* Do not use _safe API as per typical security policies */ + result = jent_read_entropy(jitter_ec, (char *) buf, len); + jent_entropy_collector_free(jitter_ec); + + /* + * Permanent Failure + * https://github.com/smuellerDD/jitterentropy-library/issues/118 + */ + if (result < -5) + break; + + /* Success */ + if (result == len) + return len; + } + + /* Permanent failure or too many intermittent failures */ + s->state = EVP_RAND_STATE_ERROR; + ERR_raise_data(ERR_LIB_RAND, RAND_R_ERROR_RETRIEVING_ENTROPY, + "jent_read_entropy (%d)", result); + return 0; +} + +static void *jitter_new(void *provctx, void *parent, + const OSSL_DISPATCH *parent_dispatch) +{ + PROV_JITTER *s; + + if (parent != NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT); + return NULL; + } + + s = OPENSSL_zalloc(sizeof(*s)); + if (s == NULL) + return NULL; + + s->provctx = provctx; + s->state = EVP_RAND_STATE_UNINITIALISED; + return s; +} + +static void jitter_free(void *vseed) +{ + OPENSSL_free(vseed); +} + +static int jitter_instantiate(void *vseed, unsigned int strength, + int prediction_resistance, + const unsigned char *pstr, + size_t pstr_len, + ossl_unused const OSSL_PARAM params[]) +{ + PROV_JITTER *s = (PROV_JITTER *)vseed; + int ret; + + if ((ret = jent_entropy_init_ex(0, JENT_FORCE_FIPS)) != 0) { + ERR_raise_data(ERR_LIB_RAND, RAND_R_ERROR_RETRIEVING_ENTROPY, + "jent_entropy_init_ex (%d)", ret); + s->state = EVP_RAND_STATE_ERROR; + return 0; + } + + s->state = EVP_RAND_STATE_READY; + return 1; +} + +static int jitter_uninstantiate(void *vseed) +{ + PROV_JITTER *s = (PROV_JITTER *)vseed; + + s->state = EVP_RAND_STATE_UNINITIALISED; + return 1; +} + +static int jitter_generate(void *vseed, unsigned char *out, size_t outlen, + unsigned int strength, + ossl_unused int prediction_resistance, + ossl_unused const unsigned char *adin, + ossl_unused size_t adin_len) +{ + PROV_JITTER *s = (PROV_JITTER *)vseed; + size_t entropy_available; + RAND_POOL *pool; + + if (s->state != EVP_RAND_STATE_READY) { + ERR_raise(ERR_LIB_PROV, + s->state == EVP_RAND_STATE_ERROR ? PROV_R_IN_ERROR_STATE + : PROV_R_NOT_INSTANTIATED); + return 0; + } + + pool = ossl_rand_pool_new(strength, 1, outlen, outlen); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; + } + + /* Get entropy from jitter entropy library. */ + entropy_available = ossl_prov_acquire_entropy_from_jitter(s, pool); + + if (entropy_available > 0) + memcpy(out, ossl_rand_pool_buffer(pool), ossl_rand_pool_length(pool)); + + ossl_rand_pool_free(pool); + return entropy_available > 0; +} + +static int jitter_reseed(void *vseed, + ossl_unused int prediction_resistance, + ossl_unused const unsigned char *ent, + ossl_unused size_t ent_len, + ossl_unused const unsigned char *adin, + ossl_unused size_t adin_len) +{ + PROV_JITTER *s = (PROV_JITTER *)vseed; + + if (s->state != EVP_RAND_STATE_READY) { + ERR_raise(ERR_LIB_PROV, + s->state == EVP_RAND_STATE_ERROR ? PROV_R_IN_ERROR_STATE + : PROV_R_NOT_INSTANTIATED); + return 0; + } + return 1; +} + +static int jitter_get_ctx_params(void *vseed, OSSL_PARAM params[]) +{ + PROV_JITTER *s = (PROV_JITTER *)vseed; + OSSL_PARAM *p; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE); + if (p != NULL && !OSSL_PARAM_set_int(p, s->state)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH); + if (p != NULL && !OSSL_PARAM_set_int(p, 1024)) + return 0; + + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST); + if (p != NULL && !OSSL_PARAM_set_size_t(p, 128)) + return 0; + return 1; +} + +static const OSSL_PARAM *jitter_gettable_ctx_params(ossl_unused void *vseed, + ossl_unused void *provctx) +{ + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_int(OSSL_RAND_PARAM_STATE, NULL), + OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), + OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +} + +static int jitter_verify_zeroization(ossl_unused void *vseed) +{ + return 1; +} + +static size_t jitter_get_seed(void *vseed, unsigned char **pout, + int entropy, size_t min_len, + size_t max_len, + int prediction_resistance, + const unsigned char *adin, + size_t adin_len) +{ + size_t ret = 0; + size_t entropy_available = 0; + size_t i; + RAND_POOL *pool; + PROV_JITTER *s = (PROV_JITTER *)vseed; + + pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; + } + + /* Get entropy from jitter entropy library. */ + entropy_available = ossl_prov_acquire_entropy_from_jitter(s, pool); + + if (entropy_available > 0) { + ret = ossl_rand_pool_length(pool); + *pout = ossl_rand_pool_detach(pool); + + /* xor the additional data into the output */ + for (i = 0; i < adin_len; ++i) + (*pout)[i % ret] ^= adin[i]; + } else { + ERR_raise(ERR_LIB_PROV, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK); + } + ossl_rand_pool_free(pool); + return ret; +} + +static void jitter_clear_seed(ossl_unused void *vdrbg, + unsigned char *out, size_t outlen) +{ + OPENSSL_secure_clear_free(out, outlen); +} + +static int jitter_enable_locking(ossl_unused void *vseed) +{ + return 1; +} + +int jitter_lock(ossl_unused void *vctx) +{ + return 1; +} + +void jitter_unlock(ossl_unused void *vctx) +{ +} + +const OSSL_DISPATCH ossl_jitter_functions[] = { + { OSSL_FUNC_RAND_NEWCTX, (void(*)(void))jitter_new }, + { OSSL_FUNC_RAND_FREECTX, (void(*)(void))jitter_free }, + { OSSL_FUNC_RAND_INSTANTIATE, + (void(*)(void))jitter_instantiate }, + { OSSL_FUNC_RAND_UNINSTANTIATE, + (void(*)(void))jitter_uninstantiate }, + { OSSL_FUNC_RAND_GENERATE, (void(*)(void))jitter_generate }, + { OSSL_FUNC_RAND_RESEED, (void(*)(void))jitter_reseed }, + { OSSL_FUNC_RAND_ENABLE_LOCKING, (void(*)(void))jitter_enable_locking }, + { OSSL_FUNC_RAND_LOCK, (void(*)(void))jitter_lock }, + { OSSL_FUNC_RAND_UNLOCK, (void(*)(void))jitter_unlock }, + { OSSL_FUNC_RAND_GETTABLE_CTX_PARAMS, + (void(*)(void))jitter_gettable_ctx_params }, + { OSSL_FUNC_RAND_GET_CTX_PARAMS, (void(*)(void))jitter_get_ctx_params }, + { OSSL_FUNC_RAND_VERIFY_ZEROIZATION, + (void(*)(void))jitter_verify_zeroization }, + { OSSL_FUNC_RAND_GET_SEED, (void(*)(void))jitter_get_seed }, + { OSSL_FUNC_RAND_CLEAR_SEED, (void(*)(void))jitter_clear_seed }, + OSSL_DISPATCH_END +}; +#else +NON_EMPTY_TRANSLATION_UNIT +#endif diff --git a/providers/implementations/rands/seeding/rand_vxworks.c b/providers/implementations/rands/seeding/rand_vxworks.c index a28fbd7997..64bc298010 100644 --- a/providers/implementations/rands/seeding/rand_vxworks.c +++ b/providers/implementations/rands/seeding/rand_vxworks.c @@ -105,8 +105,7 @@ size_t ossl_pool_acquire_entropy(RAND_POOL *pool) size_t bytes_needed; bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); - if (bytes_needed > 0) - { + if (bytes_needed > 0) { int retryCount = 0; STATUS result = ERROR; unsigned char *buffer; diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c index 57b36469ca..72e815bebf 100644 --- a/providers/implementations/rands/test_rng.c +++ b/providers/implementations/rands/test_rng.c @@ -20,6 +20,7 @@ #include "prov/provider_ctx.h" #include "prov/provider_util.h" #include "prov/implementations.h" +#include "prov/fipsindicator.h" static OSSL_FUNC_rand_newctx_fn test_rng_new; static OSSL_FUNC_rand_freectx_fn test_rng_free; @@ -196,8 +197,14 @@ static int test_rng_get_ctx_params(void *vtest, OSSL_PARAM params[]) return 0; p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_GENERATE); - if (p != NULL && OSSL_PARAM_set_uint(p, t->generate)) + if (p != NULL && !OSSL_PARAM_set_uint(p, t->generate)) return 0; + +#ifdef FIPS_MODULE + p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR); + if (p != NULL && !OSSL_PARAM_set_int(p, 0)) + return 0; +#endif /* FIPS_MODULE */ return 1; } @@ -209,6 +216,7 @@ static const OSSL_PARAM *test_rng_gettable_ctx_params(ossl_unused void *vtest, OSSL_PARAM_uint(OSSL_RAND_PARAM_STRENGTH, NULL), OSSL_PARAM_size_t(OSSL_RAND_PARAM_MAX_REQUEST, NULL), OSSL_PARAM_uint(OSSL_RAND_PARAM_GENERATE, NULL), + OSSL_FIPS_IND_GETTABLE_CTX_PARAM() OSSL_PARAM_END }; return known_gettable_ctx_params; |